| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
* modules/pam_limits/pam_limits.c (parse_config_file): Use
VENDOR_SCONFIGDIR macro instead of VENDORDIR.
|
|
|
|
|
|
|
| |
This is a VENDORDIR version of SCONFIGDIR macro, defined to
VENDORDIR"/security" when --enable-vendordir is used for build.
* configure.ac (AC_DEFINE_UNQUOTED): Add VENDOR_SCONFIGDIR.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
source code
Since SCONFIGDIR macro is available, the is no need to define macros
based on SCONFIGDIR in Makefile.am files.
* modules/pam_access/Makefile.am (AM_CFLAGS): Move definitions of
PAM_ACCESS_CONFIG and ACCESS_CONF_GLOB macros ...
* modules/pam_access/pam_access.c: ... here.
* modules/pam_env/Makefile.am (AM_CFLAGS): Move definition of
DEFAULT_CONF_FILE macro ...
* modules/pam_env/pam_env.c: ... here.
* modules/pam_group/Makefile.am (AM_CFLAGS): Move definition of
PAM_GROUP_CONF macro ...
* modules/pam_group/pam_group.c: ... here.
* modules/pam_limits/Makefile.am (AM_CFLAGS): Move definition of
LIMITS_FILE macro ...
* modules/pam_limits/pam_limits.c: ... here.
* modules/pam_sepermit/Makefile.am (AM_CFLAGS): Move definition of
SEPERMIT_CONF_FILE macro ...
* modules/pam_sepermit/pam_sepermit.c: ... here.
* modules/pam_time/Makefile.am (AM_CFLAGS): Move definition of
PAM_TIME_CONF macro ...
* modules/pam_time/pam_time.c: ... here.
|
|
|
|
|
|
|
|
|
| |
LIMITS_FILE_DIR used to define a glob pattern instead of a directory
name, fix that inconsistency.
* modules/pam_limits/Makefile.am (AM_CFLAGS): Move "/*.conf" ending of
LIMITS_FILE_DIR macro ...
* modules/pam_limits/pam_limits.c (LIMITS_CONF_GLOB): ... here.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use SCONFIGDIR macro instead of open-coding "/etc/security",
the latter is not correct when configured using --enable-sconfigdir
with an argument different from /etc/security.
* modules/pam_faillock/faillock.h (FAILLOCK_DEFAULT_CONF): Use
SCONFIGDIR.
* modules/pam_namespace/pam_namespace.h (SECURECONF_DIR): Remove.
(PAM_NAMESPACE_CONFIG, NAMESPACE_INIT_SCRIPT, NAMESPACE_D_DIR,
NAMESPACE_D_GLOB): Use SCONFIGDIR.
* modules/pam_namespace/Makefile.am (AM_CFLAGS): Remove
-DSECURECONF_DIR.
* modules/pam_pwhistory/opasswd.c (OLD_PASSWORDS_FILE): Use SCONFIGDIR.
* modules/pam_unix/passverify.h: Likewise.
* modules/pam_unix/passverify.c (OPW_TMPFILE): Use SCONFIGDIR.
|
|
|
|
|
|
|
|
|
| |
Follow the VENDORDIR example and introduce a macro defined to the
argument of --enable-sconfigdir option. Unlike --enable-vendordir,
--enable-sconfigdir has a default value, so when --enable-sconfigdir
is not used for build, SCONFIGDIR will be defined to that default value.
* configure.ac (AC_DEFINE_UNQUOTED): Add SCONFIGDIR.
|
|
|
|
|
|
|
|
|
|
|
|
| |
The parser of conf= option failed to recognize the option unless
it was specified without an argument, making it useless.
* modules/pam_sepermit/pam_sepermit.c: Include "pam_inline.h".
(pam_sm_authenticate): Fix parsing of conf= option.
* modules/pam_sepermit/tst-pam_sepermit-retval.c: Check conf= option.
Co-authored-by: Stefan Schubert <schubi@suse.de>
Resolves: https://github.com/linux-pam/linux-pam/pull/429
|
|
|
|
|
|
| |
* modules/pam_sepermit/tst-pam_sepermit-retval.c: New file.
* modules/pam_sepermit/Makefile.am (TESTS): Add $(check_PROGRAMS).
(check_PROGRAMS, tst_pam_sepermit_retval_LDADD): New variables.
|
|
|
| |
fix: typing error
|
|
|
|
|
| |
* examples/Makefile.am: Add tty_conv to noinst_PROGRAMS
* examples/tty_conv.c: A new example of conversation function.
|
|
|
|
| |
This adjustes the documentation for the changes from PR#418
We no longer fail if the config file does not exist.
|
|
|
|
|
| |
* modules/pam_rootok/pam_rootok.c (log_callback): Move audit_fd
definition under HAVE_LIBAUDIT guard.
|
|
|
|
| |
A config with only comments or an empty one is completely fine for
pam_limits. So don't complain about missing config files either.
|
| |
|
|
|
|
|
|
| |
* README: Rename install_dependencies.sh to install-dependencies.sh.
Fixes: v1.4.0~211 ("Adjust README with instructions for package prerequsities")
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes:
# ./run-xtests.sh . tst-pam_access1
mv: cannot stat '/etc/security/opasswd': No such file or directory
PASS: tst-pam_access1
mv: cannot stat '/etc/security/opasswd-pam-xtests': No such file or directory
==================
1 tests passed
0 tests not run
==================
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
As PR_SET_NO_NEW_PRIVS was introduced by Linux kernel commit
v3.5-rc1~161^2~37, provide a fallback definition to fix build
with older Linux kernel headers.
* modules/pam_limits/pam_limits.c [!PR_SET_NO_NEW_PRIVS]
(PR_SET_NO_NEW_PRIVS): New macro.
Resolves: https://github.com/linux-pam/linux-pam/issues/406
Fixes: dd9cf929 ("modules/pam_limits: add support for nonewprivs")
|
|
|
| |
* Use vendor specific limits.conf as fallback
|
| |
|
| |
|
|
|
|
|
|
|
| |
* modules/pam_pwhistory/pam_pwhistory.c: Replace "crypted password" with
"hashed password" in comment.
* modules/pam_unix/passverify.c (create_password_hash): Rename "crypted"
local variable to "hashed".
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libxcrypt provides a libcrypt.pc file so use it if available as this
will allow to retrieve the library path (e.g.
-L/home/buildroot/output/host//riscv64-buildroot-linux-musl/sysroot/usr/lib)
which is useful when cross-compiling and will avoid the following build
failure on buildroot:
/home/buildroot/autobuild/run/instance-3/output-1/host/opt/ext-toolchain/bin/../lib/gcc/riscv64-buildroot-linux-musl/10.2.0/../../../../riscv64-buildroot-linux-musl/bin/ld: .libs/passverify.o: in function `.L30':
passverify.c:(.text+0x368): undefined reference to `crypt_checksalt'
Fixes:
- http://autobuild.buildroot.org/results/20b14e222b35c2d1269960075832b784ba81aa1a
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The getspnam(3) manual page says that errno shall be set to EACCES when
the caller does not have permission to access the shadow password file.
Unfortunately, this contract is broken when libnss_systemd is used in
the nss stack.
Workaround this problem by falling back to the helper invocation when
pam_modutil_getspnam returns NULL regardless of errno. As pam_unix
already behaves this way when selinux is enabled, it should be OK
for the case when selinux is not enabled, too.
* modules/pam_unix/passverify.c (get_account_info): When
pam_modutil_getspnam returns NULL, unconditionally fall back
to the helper invocation.
Complements: f220cace2053 ("Permit unix_chkpwd & pam_unix.so to run without being setuid-root")
Resolves: https://github.com/linux-pam/linux-pam/issues/379
|
|
|
|
|
|
| |
Currently translated at 100.0% (100 of 100 strings).
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fr/
|
|
|
|
| |
Closes: https://github.com/linux-pam/linux-pam/issues/383
|
|
|
|
|
|
| |
Currently translated at 100.0% (100 of 100 strings).
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ko/
|
|
|
|
|
|
| |
Currently translated at 100.0% (100 of 100 strings).
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/sv/
|
|
|
|
|
|
| |
Currently translated at 100.0% (100 of 100 strings).
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pt_BR/
|
|
|
|
|
|
| |
Currently translated at 100.0% (100 of 100 strings).
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pt/
|
|
|
|
|
|
| |
Currently translated at 100.0% (100 of 100 strings).
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/nl/
|
|
|
|
|
|
| |
Currently translated at 100.0% (100 of 100 strings).
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/it/
|
|
|
|
|
|
| |
Currently translated at 100.0% (100 of 100 strings).
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/he/
|
|
|
|
|
|
| |
Currently translated at 100.0% (100 of 100 strings).
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fi/
|
|
|
|
|
|
| |
Currently translated at 100.0% (100 of 100 strings).
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/da/
|
|
|
|
|
|
| |
Currently translated at 100.0% (100 of 100 strings).
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ca/
|
|
|
|
|
|
| |
Currently translated at 100.0% (100 of 100 strings).
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/uk/
|
|
|
|
|
|
| |
Currently translated at 100.0% (100 of 100 strings).
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/tr/
|
|
|
|
|
|
| |
Currently translated at 100.0% (100 of 100 strings).
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pl/
|
|
|
|
|
|
| |
Currently translated at 100.0% (100 of 100 strings).
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/de/
|
|
|
|
|
|
| |
Currently translated at 100.0% (100 of 100 strings).
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ru/
|
|
|
|
|
|
| |
Currently translated at 100.0% (99 of 99 strings).
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ko/
|
|
|
|
|
| |
Regenerate po/Linux-PAM.pot and po/*.po using "make -C po update-po"
command.
|
|
|
|
|
| |
* configure.ac (AC_INIT): Raise version to 1.5.2.
* NEWS: Update.
|
|
|
|
|
| |
* modules/pam_faillock/pam_faillock.c (faillock_message): Remove the
comment that meant to help translators but actually confused xgettext.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Failing to check the descriptor value meant that there was a bug in the
attempt to close the controlling tty. Moreover, this would lead to a
file descriptor leak as pointed out by the static analyzer tool:
Error: RESOURCE_LEAK (CWE-772): [#def26]
Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:356: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:356: var_assign: Assigning: "t" = handle returned from "open("/dev/tty", 2)".
Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:357: off_by_one: Testing whether handle "t" is strictly greater than zero is suspicious. "t" leaks when it is zero.
Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:357: remediation: Did you intend to include equality with zero?
Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:367: leaked_handle: Handle variable "t" going out of scope leaks the handle.
365| pam_syslog(pamh, LOG_ERR,
366| "child cannot become new session: %m");
367|-> return PAM_ABORT;
368| }
369|
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove the hard-coding of the idea that the only way pam_unix.so can
read the shadow file is if it can, in some way, run setuid-root.
Linux capabilities only require cap_dac_override to read the /etc/shadow
file.
This change achieves two things: it opens a path for a linux-pam
application to run without being setuid-root; further, it allows
unix_chkpwd to run non-setuid-root if it is installed:
sudo setcap cap_dac_override=ep unix_chkpwd
If we wanted to link against libcap, we could install this binary with
cap_dac_override=p, and use cap_set_proc() to raise the effective bit
at runtime. However, some distributions already link unix_chkpwd
against libcap-ng for some, likely spurious, reason so "ep" is fine
for now.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix the following build failure with libxcrypt and uclibc-ng:
ld: unix_chkpwd-passverify.o: in function `verify_pwd_hash':
passverify.c:(.text+0xab4): undefined reference to `crypt_checksalt'
Fixes:
- http://autobuild.buildroot.org/results/65d68b7c9c7de1c7cb0f941ff9982f93a49a56f8
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* .gitignore: Add .pc files as they are generated by autoconf.
* configure.ac: Generate .pc files for libpam, libpam_misc and libpamc.
* libpam/Makefile.am: Install pam.pc.
* libpam/pam.pc.in: New file.
* libpam_misc/Makefile.am: Install pam_misc.pc
* libpam_misc/pam_misc.pc.in: New file.
* libpamc/Makefile.am: Install pamc.pc
This allow applications and PAM modules to automatically find libpam,
libpam_misc and libpamc if they are installed instead of having to
manually search for them.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since many distributions are shipping a version of libxcrypt >= 4.0.0
as a replacement for glibc's libcrypt now, older versions of xcrypt,
which could be installed in parallel, are not relevant anymore.
* configure.ac (AC_CHECK_HEADERS): Remove xcrypt.h.
(AC_SEARCH_LIBS): Remove xcrypt.
(AC_CHECK_FUNCS): Remove crypt_gensalt_r.
(AC_DEFINE): Remove HAVE_LIBXCRYPT.
* modules/pam_pwhistory/opasswd.c [HAVE_LIBXCRYPT]: Remove.
* modules/pam_unix/bigcrypt.c [HAVE_LIBXCRYPT]: Likewise.
* modules/pam_userdb/pam_userdb.c [HAVE_LIBXCRYPT]: Likewise.
* modules/pam_unix/passverify.c [HAVE_LIBXCRYPT]: Likewise.
(create_password_hash) [HAVE_LIBXCRYPT]: Likewise.
|
| |
|